Conventionally, in a communication data networking environment if a user operating a network computer device was going to manage membership of a particular group of users, they would need specific management rights over that particular group or the ‘container’ in which the group is operating. Normally, that user attempting to perform management operations would need specifically granted rights.
A flexible method of distributing permissions to certain users to perform administrative level tasks for a large-scale communication network infrastructure does not exist in the current security role management applications. Such logic is normally found on the actual specific device, application, or node that would be manipulated by the administrator task each of which would need to be configured separately.
In one specific example, when processing the business rules for permissions, conventional application programming interfaces (APIs) used to manage authorization efforts rely on the operations level of permissions. If the operations indicate that a user should belong to a specific role, that user is associated with the role. Then, the user receiving rights to a privilege is determined by their assigned role association. This scenario provides business rules which cannot be independent of a particular role since the rules are stored within the role. When using such an API, a check against access to operations may be used, however, this is not a true role identification operation.
Using conventional authorization approaches, any operations associated with a role would only pass an access check consistent with that role's privileges, and during any other time not consistent with that role's privileges, the user would neither have access to those operations nor be in the role due to time limitations. Also, if a change is made to the business rules while a user is logged into the conventional security application, the user must log-out and log-back in to the application to experience the changes.